Cisco Cisco Prime Network Services Controller Adaptor for DFA 产品宣传页

Page 5 of 45

Cisco Unified Fabric enhances the traditional frame and packet forwarding by improving the Ethernet flood-and-

learn concept. By using Cisco FabricPath frame encapsulation and its conversational learning for Layer 2 traffic,

Cisco Dynamic Fabric Automation (DFA) uses the forwarding methodology of frame routing to overcome logical

single-tree topologies. By adding a control plane for host and subnet reachability, unnecessary flooding can be

reduced by using proactive learning. In addition to the enhanced control plane and data plane for unicast and

multicast forwarding, Cisco DFA reduces the Layer 2 failure domain by having the Layer 2 and Layer 3

demarcation on the host-connected leaf switch, terminating the host-originated discovery protocols at this layer.

The use of the distributed proxy or anycast gateway technology on all leaf switches for a given VLAN also

improves resilience and allows the fabric to scale to a larger number of hosts.

A major difference between the distributed gateway technology in Cisco Unified Fabric and anycast HSRP and

other traditional FHRPs such as HSRP, VRRP, and GLBP is the absence of a hello exchange between the various

leaf nodes participating and serving the same virtual IP address. Each Cisco Unified Fabric leaf provides the same

gateway-pervasive MAC address and IP address for a given subnet without using any additional anycast of hello

control-plane protocol.

Overview of Firewall and Cisco Unified Fabric Network Integration

Typically, network and application teams work together to deploy Firewalls. This process can be divided into three

main tasks: network service node integration, service node deployment, and service policy creation. The manual

steps for accomplishing each main task are presented here.

Service Node Integration

Service node integration includes the following steps:

●

Set a relevant Layer 2 configuration on port of the network access device (leaf node): trunk or access port,

VLAN membership, mapping of the bridge domain and VLAN to the segment ID, selection of a forwarding

mode (Enhanced Forwarding, Traditional Forwarding, or Layer 2 mode), etc.

●

Set a relevant Layer 3 configuration on the network access device (leaf node): switch virtual interface (SVI)

IP address and mask, VRF membership, static routing or dynamic routing protocol (when applicable),

redistribution of service-node-originated route prefixes, etc.

●

Attach the service node’s network interfaces to network access devices. This step could also be part of
service node deployment.

●

Set a relevant Layer 2 and Layer 3 configuration on the port of the service node: VLAN access and trunk,

Layer 3 interface and subinterfaces, static or dynamic routing, etc. This step could also be part of service

node deployment.

Service Node Deployment

The details of service node deployment are typically vendor specific and may differ depending on scale, high-

availability, and performance requirements. Following are general tasks commonly performed when deploying a

service node:

●

Create a service node: a physical node, virtual machine, or virtual context.

●

Create logical inside and outside links: an untagged physical or tagged IEEE 892.1Q subinterface or some
other kind of interface, according to the appliances’ capabilities.

●

Create a forwarding context: either a single context or multiple contexts, binding inside and outside logical

interfaces.

●

Create a virtual IP address. This address is used by load balancers to attract traffic to a virtual server farm.

This step can also be a part of policy creation.